Cybersecurity vs Cyber Resilience
Good ICT practice requires that cybersecurity trends are followed and that protective measures are selected according to risk exposure. In practice, this selection is usually a compromise between technological requirements, usability and budgetary constraints. It is important to remember that digital security is a constant “arms race” in which the number of potential attack vectors and breaches increases in direct proportion to overall development and technological leaps. So-called bad actors in the ICT world are familiarizing themselves with all the latest innovations and trying to use them to achieve their goals (example: supporting artificial intelligence for offensive actions).
The range of defensive measures that ensure business continuity and protect against breaches of data integrity (and confidentiality) is constantly growing. Their use determines the ability to avoid the growing cyber threat. They are complemented by measures to build digital resilience, i.e. the ability to limit the damage if the security of the ICT system is nevertheless compromised. Cyber resilience addresses all external and internal threats and requires an understanding that no digital protection system is perfect (even with full vendor support and installation of updates).
In summary, cybersecurity techniques aim to minimize the risk of an attack, and a cyber resilience strategy includes measures to minimize the impact of attacks. The more closely these two categories are linked, the more comprehensive an organization’s approach to ICT security will be.
DORA
Digital Operational Resilience Act
The adopted DORA (Digital Operational Resilience Act) is a practical interpretation of a systematized approach to cyber resilience. As a regulation of the European Parliament and the EU Council on the operational digital resilience of the financial sector, it is directly applicable in all EU countries and has been in force since January 17, 2025. It introduces a single standard for ICT risk management across the EU financial market, ensures the exchange of information and draws attention to supply chain risks, including concentration risks.
Entities covered by the Regulation must define their own operational requirements, in particular when using subcontractors and external suppliers, and put in place rules to manage the associated risks. The policies and procedures implemented must include emergency management, including reporting incidents to the regulator within the specified timeframe.
External service providers identified in DORA :
|
|
Key areas of activity under DORA
ICT risk management
Incident management
Cyber resilience testing
External service provider risk management
Cyber threat intelligence tracking and reporting
Supply chain risk management
How Atman Addresses DORA
As a telecommunications operator and provider of ICT services to the financial sector, among others, Atman has been working with its customers for several years to incorporate the requirements resulting from the current recommendations and regulations of financial market regulators into its contractual provisions and to adapt its services accordingly.
As part of the support provided in relation to DORA, Atman is ready to modify the services provided so that they are in line with the customer’s individual requirements resulting from its risk analysis and, consequently, comply with the obligations set forth in this regulation.
The workflow suggested by Atman is shown in the following matrix of responsibilities.
| Action | Customer | Atman | Supervision |
| 1. Risk Analysis |  |
 |
|
| 2. Define the scope of changes | |
|
|
| 3. Submit the scope of changes to Atman | |
|
|
| 4. Assess the changes | |
|
|
| 5. Work on the contractual provisions | |
|
|
| 6. Signing of the annex to the contract | |
|
|
| 7. Implementation of changes in the provided service | |
|
|
| 8. Audits | |
|
|
If you are our customer and have identified the need to change contractual terms and adapt the scope of services provided to meet regulatory requirements, please send a proposal for such changes to your Account Manager in Atman so that the necessary actions can be taken.
FAQ
DORA (Digital Operational Resilience Act) is an EU regulation aimed at strengthening the operational resilience of digital systems used by the financial sector. It introduces a set of digital security, risk management and disaster recovery requirements to ensure business continuity and the protection of financial data. It is effective as of January 17, 2025.
The key responsibilities of ICT providers under DORA include ensuring business continuity and digital resilience. They must implement appropriate risk management measures, including monitoring and responding to threats. In addition, ICT providers must regularly test and audit their systems to ensure compliance. It is also important to maintain appropriate incident management procedures and ensure transparency with customers and regulators.
We are prepared to customize our offering based on each customer’s specific risk analysis and regulatory requirements. This includes customization of security levels, risk management methods, and data recovery procedures.
When a customer identifies the need for a contract amendment to comply with DORA, we ask them to submit a proposed amendment. We will then analyze and negotiate the proposal with the customer to quickly implement the necessary contract changes.
For more information, please contact our Customer Service team. They can provide you with detailed information about our services, our approach to security, and options for working together in a DORA-compliant manner.